Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Is this search achievable?

Is it possible for splunk to return all date that meet the following, how?

Every day, for the first 5 events, note the highest of A (say high-A), note the lowest of B (say low-B). For the 6th event onwards till the last event, once A is higher than high-A, B is not lower that low-B.

Thanks somesoni2 for the quick response. However as I found the timestamp of my data messed up, I need to re-organized it first before I can know this work or not. Just give me a few days for this. Thanks.

The first portion of the search "your base search giving _time High Low" is a placeholder for your actual search string which will give result with fields _time, fieldA which is High and fieldB which is Low. See the updated answer.

I think it is better to use my data to explain what I need to achieve. e.g. for the first 5 events of 20140701, the highest is 100, the lowest is 94, and for the rest of 20140701, there is no higher than 100, so the search should return nothing for 20140701.

Say, e.g. if an event is higher than 100 for the rest of 20140701, and then no longer below 100, the search should return 20140701.

Lets try to breakdown the query and see what the problem is.1) execute this and let me know if you get a table with 3 columns- Date High Low with data in it.

index=yourIndexName sourcetype=yourSourceTypeName | table Date High Low2)If above works, then execute this and let me know if you get table with 6 column-Date High Low sno MaxHigh MinLow, where last 3 fields have value for 1st 5 rows for a day.

For the last 3 fields, the search return the same row 5 times for each day as follow, sno=20140704 MaxHigh=197 MinLow=194sno=20140703 MaxHigh=197 MinLow=94sno=20140702 MaxHigh=84 MinLow=78sno=20140701 MaxHigh=97 MinLow=94

I'll try to make up some data so can easily be seen how these value are from.

You can add a command "| reverse" before the streamstats to reverse the event list and it will pickup first 5. You can add another "| reverse" in the end if you want to final result to be shown in chronological (order before the first "|reverse" command).

However, I need only the date, not list of events as there are many. Also, the search string can't filter out those day that once from the 6th events onwards, High is higher than max high of the first 5 events, Low is lower than the min low of the first 5 events.

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.